<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html 
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Class: HTML::WhiteListSanitizer</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="Content-Script-Type" content="text/javascript" />
  <link rel="stylesheet" href="../.././rdoc-style.css" type="text/css" media="screen" />
  <script type="text/javascript">
  // <![CDATA[

  function popupCode( url ) {
    window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
  }

  function toggleCode( id ) {
    if ( document.getElementById )
      elem = document.getElementById( id );
    else if ( document.all )
      elem = eval( "document.all." + id );
    else
      return false;

    elemStyle = elem.style;
    
    if ( elemStyle.display != "block" ) {
      elemStyle.display = "block"
    } else {
      elemStyle.display = "none"
    }

    return true;
  }
  
  // Make codeblocks hidden by default
  document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
  
  // ]]>
  </script>

</head>
<body>



    <div id="classHeader">
        <table class="header-table">
        <tr class="top-aligned-row">
          <td><strong>Class</strong></td>
          <td class="class-name-in-header">HTML::WhiteListSanitizer</td>
        </tr>
        <tr class="top-aligned-row">
            <td><strong>In:</strong></td>
            <td>
                <a href="../../files/vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer_rb.html">
                vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
                </a>
        <br />
            </td>
        </tr>

        <tr class="top-aligned-row">
            <td><strong>Parent:</strong></td>
            <td>
                <a href="Sanitizer.html">
                Sanitizer
               </a>
            </td>
        </tr>
        </table>
    </div>
  <!-- banner header -->

  <div id="bodyContent">



  <div id="contextContent">



   </div>

    <div id="method-list">
      <h3 class="section-bar">Methods</h3>

      <div class="name-list">
      <a href="#M000180">contains_bad_protocols?</a>&nbsp;&nbsp;
      <a href="#M000179">process_attributes_for</a>&nbsp;&nbsp;
      <a href="#M000178">process_node</a>&nbsp;&nbsp;
      <a href="#M000176">sanitize_css</a>&nbsp;&nbsp;
      <a href="#M000177">tokenize</a>&nbsp;&nbsp;
      </div>
    </div>

  </div>


    <!-- if includes -->

    <div id="section">





      


    <!-- if method_list -->
    <div id="methods">
      <h3 class="section-bar">Public Instance methods</h3>

      <div id="method-M000176" class="method-detail">
        <a name="M000176"></a>

        <div class="method-heading">
          <a href="#M000176" class="method-signature">
          <span class="method-name">sanitize_css</span><span class="method-args">(style)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Sanitizes a block of css code. Used by sanitize when it comes across a
style attribute
</p>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000176-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000176-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 104</span>
104:     <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">sanitize_css</span>(<span class="ruby-identifier">style</span>)
105:       <span class="ruby-comment cmt"># disallow urls</span>
106:       <span class="ruby-identifier">style</span> = <span class="ruby-identifier">style</span>.<span class="ruby-identifier">to_s</span>.<span class="ruby-identifier">gsub</span>(<span class="ruby-regexp re">/url\s*\(\s*[^\s)]+?\s*\)\s*/</span>, <span class="ruby-value str">' '</span>)
107: 
108:       <span class="ruby-comment cmt"># gauntlet</span>
109:       <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">style</span> <span class="ruby-operator">!~</span> <span class="ruby-regexp re">/^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\&quot;[\s\w]+\&quot;|\([\d,\s]+\))*$/</span> <span class="ruby-operator">||</span>
110:           <span class="ruby-identifier">style</span> <span class="ruby-operator">!~</span> <span class="ruby-regexp re">/^(\s*[-\w]+\s*:\s*[^:;]*(;|$))*$/</span>
111:         <span class="ruby-keyword kw">return</span> <span class="ruby-value str">''</span>
112:       <span class="ruby-keyword kw">end</span>
113: 
114:       <span class="ruby-identifier">clean</span> = []
115:       <span class="ruby-identifier">style</span>.<span class="ruby-identifier">scan</span>(<span class="ruby-regexp re">/([-\w]+)\s*:\s*([^:;]*)/</span>) <span class="ruby-keyword kw">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">prop</span>,<span class="ruby-identifier">val</span><span class="ruby-operator">|</span>
116:         <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">allowed_css_properties</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">prop</span>.<span class="ruby-identifier">downcase</span>)
117:           <span class="ruby-identifier">clean</span> <span class="ruby-operator">&lt;&lt;</span>  <span class="ruby-identifier">prop</span> <span class="ruby-operator">+</span> <span class="ruby-value str">': '</span> <span class="ruby-operator">+</span> <span class="ruby-identifier">val</span> <span class="ruby-operator">+</span> <span class="ruby-value str">';'</span>
118:         <span class="ruby-keyword kw">elsif</span> <span class="ruby-identifier">shorthand_css_properties</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">prop</span>.<span class="ruby-identifier">split</span>(<span class="ruby-value str">'-'</span>)[<span class="ruby-value">0</span>].<span class="ruby-identifier">downcase</span>) 
119:           <span class="ruby-keyword kw">unless</span> <span class="ruby-identifier">val</span>.<span class="ruby-identifier">split</span>().<span class="ruby-identifier">any?</span> <span class="ruby-keyword kw">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">keyword</span><span class="ruby-operator">|</span>
120:             <span class="ruby-operator">!</span><span class="ruby-identifier">allowed_css_keywords</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">keyword</span>) <span class="ruby-operator">&amp;&amp;</span> 
121:               <span class="ruby-identifier">keyword</span> <span class="ruby-operator">!~</span> <span class="ruby-regexp re">/^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/</span>
122:           <span class="ruby-keyword kw">end</span>
123:             <span class="ruby-identifier">clean</span> <span class="ruby-operator">&lt;&lt;</span> <span class="ruby-identifier">prop</span> <span class="ruby-operator">+</span> <span class="ruby-value str">': '</span> <span class="ruby-operator">+</span> <span class="ruby-identifier">val</span> <span class="ruby-operator">+</span> <span class="ruby-value str">';'</span>
124:           <span class="ruby-keyword kw">end</span>
125:         <span class="ruby-keyword kw">end</span>
126:       <span class="ruby-keyword kw">end</span>
127:       <span class="ruby-identifier">clean</span>.<span class="ruby-identifier">join</span>(<span class="ruby-value str">' '</span>)
128:     <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <h3 class="section-bar">Protected Instance methods</h3>

      <div id="method-M000180" class="method-detail">
        <a name="M000180"></a>

        <div class="method-heading">
          <a href="#M000180" class="method-signature">
          <span class="method-name">contains_bad_protocols?</span><span class="method-args">(attr_name, value)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000180-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000180-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 168</span>
168:     <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">contains_bad_protocols?</span>(<span class="ruby-identifier">attr_name</span>, <span class="ruby-identifier">value</span>)
169:       <span class="ruby-identifier">uri_attributes</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">attr_name</span>) <span class="ruby-operator">&amp;&amp;</span> 
170:       (<span class="ruby-identifier">value</span> <span class="ruby-operator">=~</span> <span class="ruby-regexp re">/(^[^\/:]*):|(&amp;#0*58)|(&amp;#x70)|(%|&amp;#37;)3A/</span> <span class="ruby-operator">&amp;&amp;</span> <span class="ruby-operator">!</span><span class="ruby-identifier">allowed_protocols</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">value</span>.<span class="ruby-identifier">split</span>(<span class="ruby-identifier">protocol_separator</span>).<span class="ruby-identifier">first</span>))
171:     <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000179" class="method-detail">
        <a name="M000179"></a>

        <div class="method-heading">
          <a href="#M000179" class="method-signature">
          <span class="method-name">process_attributes_for</span><span class="method-args">(node, options)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000179-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000179-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 155</span>
155:     <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">process_attributes_for</span>(<span class="ruby-identifier">node</span>, <span class="ruby-identifier">options</span>)
156:       <span class="ruby-keyword kw">return</span> <span class="ruby-keyword kw">unless</span> <span class="ruby-identifier">node</span>.<span class="ruby-identifier">attributes</span>
157:       <span class="ruby-identifier">node</span>.<span class="ruby-identifier">attributes</span>.<span class="ruby-identifier">keys</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword kw">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">attr_name</span><span class="ruby-operator">|</span>
158:         <span class="ruby-identifier">value</span> = <span class="ruby-identifier">node</span>.<span class="ruby-identifier">attributes</span>[<span class="ruby-identifier">attr_name</span>].<span class="ruby-identifier">to_s</span>
159: 
160:         <span class="ruby-keyword kw">if</span> <span class="ruby-operator">!</span><span class="ruby-identifier">options</span>[<span class="ruby-identifier">:attributes</span>].<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">attr_name</span>) <span class="ruby-operator">||</span> <span class="ruby-identifier">contains_bad_protocols?</span>(<span class="ruby-identifier">attr_name</span>, <span class="ruby-identifier">value</span>)
161:           <span class="ruby-identifier">node</span>.<span class="ruby-identifier">attributes</span>.<span class="ruby-identifier">delete</span>(<span class="ruby-identifier">attr_name</span>)
162:         <span class="ruby-keyword kw">else</span>
163:           <span class="ruby-identifier">node</span>.<span class="ruby-identifier">attributes</span>[<span class="ruby-identifier">attr_name</span>] = <span class="ruby-identifier">attr_name</span> <span class="ruby-operator">==</span> <span class="ruby-value str">'style'</span> <span class="ruby-operator">?</span> <span class="ruby-identifier">sanitize_css</span>(<span class="ruby-identifier">value</span>) <span class="ruby-operator">:</span> <span class="ruby-constant">CGI</span><span class="ruby-operator">::</span><span class="ruby-identifier">escapeHTML</span>(<span class="ruby-identifier">value</span>)
164:         <span class="ruby-keyword kw">end</span>
165:       <span class="ruby-keyword kw">end</span>
166:     <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000178" class="method-detail">
        <a name="M000178"></a>

        <div class="method-heading">
          <a href="#M000178" class="method-signature">
          <span class="method-name">process_node</span><span class="method-args">(node, result, options)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000178-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000178-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 138</span>
138:     <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">process_node</span>(<span class="ruby-identifier">node</span>, <span class="ruby-identifier">result</span>, <span class="ruby-identifier">options</span>)
139:       <span class="ruby-identifier">result</span> <span class="ruby-operator">&lt;&lt;</span> <span class="ruby-keyword kw">case</span> <span class="ruby-identifier">node</span>
140:         <span class="ruby-keyword kw">when</span> <span class="ruby-constant">HTML</span><span class="ruby-operator">::</span><span class="ruby-constant">Tag</span>
141:           <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">node</span>.<span class="ruby-identifier">closing</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">:close</span>
142:             <span class="ruby-identifier">options</span>[<span class="ruby-identifier">:parent</span>].<span class="ruby-identifier">shift</span>
143:           <span class="ruby-keyword kw">else</span>
144:             <span class="ruby-identifier">options</span>[<span class="ruby-identifier">:parent</span>].<span class="ruby-identifier">unshift</span> <span class="ruby-identifier">node</span>.<span class="ruby-identifier">name</span>
145:           <span class="ruby-keyword kw">end</span>
146:           
147:           <span class="ruby-identifier">process_attributes_for</span> <span class="ruby-identifier">node</span>, <span class="ruby-identifier">options</span>
148: 
149:           <span class="ruby-identifier">options</span>[<span class="ruby-identifier">:tags</span>].<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">node</span>.<span class="ruby-identifier">name</span>) <span class="ruby-operator">?</span> <span class="ruby-identifier">node</span> <span class="ruby-operator">:</span> <span class="ruby-keyword kw">nil</span>
150:         <span class="ruby-keyword kw">else</span>
151:           <span class="ruby-identifier">bad_tags</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">options</span>[<span class="ruby-identifier">:parent</span>].<span class="ruby-identifier">first</span>) <span class="ruby-operator">?</span> <span class="ruby-keyword kw">nil</span> <span class="ruby-operator">:</span> <span class="ruby-identifier">node</span>.<span class="ruby-identifier">to_s</span>.<span class="ruby-identifier">gsub</span>(<span class="ruby-regexp re">/&lt;/</span>, <span class="ruby-value str">&quot;&amp;lt;&quot;</span>)
152:       <span class="ruby-keyword kw">end</span>
153:     <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000177" class="method-detail">
        <a name="M000177"></a>

        <div class="method-heading">
          <a href="#M000177" class="method-signature">
          <span class="method-name">tokenize</span><span class="method-args">(text, options)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000177-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000177-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 131</span>
131:     <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">tokenize</span>(<span class="ruby-identifier">text</span>, <span class="ruby-identifier">options</span>)
132:       <span class="ruby-identifier">options</span>[<span class="ruby-identifier">:parent</span>] = []
133:       <span class="ruby-identifier">options</span>[<span class="ruby-identifier">:attributes</span>] <span class="ruby-operator">||=</span> <span class="ruby-identifier">allowed_attributes</span>
134:       <span class="ruby-identifier">options</span>[<span class="ruby-identifier">:tags</span>]       <span class="ruby-operator">||=</span> <span class="ruby-identifier">allowed_tags</span>
135:       <span class="ruby-keyword kw">super</span>
136:     <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>


    </div>


  </div>


<div id="validator-badges">
  <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
</div>

</body>
</html>